Implementing Cisco Threat Control Solutions (SITCS)
BRKCRT-2211
Sam Camarda
Consulting Systems Engineer
© 2014 Cisco and/or its affiliates. All rights reserved. BRKCRT-2211 Cisco Public
Agenda
• CCNP Security
• NGFW Services (CX)
• Web Security Appliance (WSA)
• Cloud Web Security (CWS)
• Email Security Appliance (ESA)
• Network Intrusion Prevention (IPS)
• Conclusion
3
© 2014 Cisco and/or its affiliates. All rights reserved. BRKCRT-2211 Cisco Public
CCNP Security Track
• 4 Exams
– 300-206 Implementing Cisco Edge Network Security Solutions (SENSS)
– 300-207 Implementing Cisco Threat Control Solutions (SITCS)
– 300-208 Implementing Cisco Secure Access Solutions (SISAS)
– 300-209 Implementing Cisco Secure Mobility Solutions (SIMOS)
• CCNA or CCIE prerequisite and valid for 3 three years
• Certification info available at learningnetwork.cisco.com
– Community Discussion Boards
– CCNP Security Study Groups
4
© 2014 Cisco and/or its affiliates. All rights reserved. BRKCRT-2211 Cisco Public
Implementing Cisco Threat Control Solutions
• 90-minute exam consists of 65–75 questions and covers integration of Intrusion Prevention System (IPS) and context-aware firewall components, as well as Web (Cloud) and Email Security solutions.
• Refreshed January 2014
• Knowledge Allocations: • 22% Content Security
• 23% Threat Defense
• 16% Devices GUIs and Secured CLI
• 19% Troubleshooting, Monitoring and Reporting Tools
• 8% Threat Defense Architectures
• 12% Content Security Architectures
• http://www.cisco.com/web/learning/exams/list/spec_sitcs.html
5
ASA NGFW
© 2014 Cisco and/or its affiliates. All rights reserved. BRKCRT-2211 Cisco Public
ASA NGFW Features
• Application Visibility & Control
• URL Filtering including Custom Categories
• Web Reputation
• User Identification – Active & Passive
• User Device Identification – User Agent & AnyConnect VPN
• SSL/TLS Decryption
• IPS Threat Defense
• Rate Limiting
• Reporting / Event Monitoring
7
© 2014 Cisco and/or its affiliates. All rights reserved. BRKCRT-2211 Cisco Public
Cisco ASA NGFW
• Best positioned at the Internet Edge
• 2 Form Factors
– ASA 5500-X Software Module
– ASA 5585-X Hardware Module
• On-box or Off-Box Management
• Feature Licenses
– Application Visibility & Control
– Web Security Essentials
– Threat Defense
• Deployed Inline or Promiscuous
8
© 2014 Cisco and/or its affiliates. All rights reserved. BRKCRT-2211 Cisco Public
ASA NGFW Broad and Web AVC
• Broad AVC based on NBARv2: Multi-application support over many ports
• Web AVC—HTTP and HTTPS (decrypted) traffic—Example: Allow Facebook but deny Facebook games.
• Application types—Examples: Dropbox, Google Drive, Yahoo Messenger, Google Talk, and so on.
• Application signature updates are downloaded from Cisco Security Intelligence Operations (SIO) center every 5 minutes. Scanning engines also receive regular updates from Cisco SIO.
• Typically, the ASA NGFW scanning engine update is required only once every 3 months.
NBAR2 AVC
9
© 2014 Cisco and/or its affiliates. All rights reserved. BRKCRT-2211 Cisco Public
ASA NGFW Policy Types
• Identity Policies (Active or Passive)
– Which traffic requires authentication. (Default = Don't use user identity)
• Decryption Policies(TLS/SSL)
– Traffic is decrypted for inspection. (Default = Don't decrypt)
• Access Policies (Allow/Warn/Deny)
– Scope of traffic allowed through the machine. (Default = Allow all traffic)
• Threat Detection Policies (Inline/Monitor-only)
– Client traffic is inspected for threats
Who What Where When How
10
© 2014 Cisco and/or its affiliates. All rights reserved. BRKCRT-2211 Cisco Public
Compatibility with Existing Cisco ASA Features
• ASA Clustering and active/active failover are not currently supported.
• Active/standby failover, transparent firewall mode, and IPv6 are supported.
• ASA multiple context mode is supported in the 9.2.1 Supports traffic redirected from a single ASA context or from multiple ASA contexts.
• ASA NGFW 9.2.1 release requires the ASA 9.1.3 release running on the ASA.
• Do not to configure HTTP inspection or Cloud Web Security inspection or the Mobile User Security feature when using the ASA NGFW.
11
© 2014 Cisco and/or its affiliates. All rights reserved. BRKCRT-2211 Cisco Public
ASA NGFW - Software Model
• All Midrange models
– ASA5512, 5515, 5525, 5545, 5555
• NGFW or Traditional IPS
• Single or Dual 128G solid state drive
– Database, Application packages
– ASA used for Boot Image
• 200Mbps to 1.2Gbps performance
• Shared management interface - 192.168.1.2
• ASA software release 9.1(1) or later
ASA 5512-X
ASA 5515-X
ASA 5525-X
ASA 5545-X
ASA 5555-X
12
© 2014 Cisco and/or its affiliates. All rights reserved. BRKCRT-2211 Cisco Public
ASA NGFW - Hardware Model
• High Performance 5585X – 10Gbps Hardware
– SSP10, SSP20, SSP40, SSP60
• Occupies top slot - NGFW or Traditional IPS
• Single or dual 600G hard drive
• Data ports shared between ASA and NGFW
• ASA Software Release 8.4(4) or later
• Clustering compatible
• Dedicated management interface
• 2-13 Gbps throughput
13
© 2014 Cisco and/or its affiliates. All rights reserved. BRKCRT-2211 Cisco Public
ASA NGFW Management Architecture
• Prime Security Manager – HTMLv5
– Configuration / Monitoring / Licensing
– Change / Commit architecture
• On-box or Off-box – mutually exclusive
– UCS Appliance or VMware OVA
– Off-box: Multi-device control, additional logging, RBAC, ASA management
• RESTful XML over HTTPS
• Reliable Binary Logging – TCP Port 4466
• Support for high availability – v9.2
• Minimal CLI configuration / monitoring
14
© 2014 Cisco and/or its affiliates. All rights reserved. BRKCRT-2211 Cisco Public
PRSM CLI – Log Management
© 2014 Cisco and/or its affiliates. All rights reserved. BRKCRT-2211 Cisco Public
ASA NGFW CLI Commands
• delete – delete files (cores and package captures)
• setup – configure the IP addresses, hostname, domain, DNS, NTP
• system (reload | shutdown) – reboot or stop the blade
• system (upgrade | revert) – upgrade or downgrade the OS
• services (start | stop) – turn on and off the services including packet inspectors
• ping, nslookup, traceroute – management interface connectivity troubleshooting
• show interface – statistics for management interface
• show opdata – show operational data from the data plane
• show tech-support – outputs for Cisco support troubleshooting
• support tail log – watch the logs on the CLI
• support diagnostics – package and upload a collection of logs and debug info (including packet captures)
• config (backup | restore) – backup or restore the configuration. Backup requires FTP. Restore requires FTP or HTTP
16
© 2014 Cisco and/or its affiliates. All rights reserved. BRKCRT-2211 Cisco Public
Policy & Traffic Flow
• Interesting traffic is redirected via the ASA
– ASA Traffic Class and Policy Maps
– Configured via ASA or Off-Box PRSM
– Fail-Open or Fail-Close
• Policy Sets are configured for Access, Identity, Decryption, IPS, NAT
– Top down, first match
– Ends with default Permit Any
• Off-box PRSM management can manage ASA ACL, interface and NAT capabilities
• ASA Performs Active Identification (cut-though proxy)
17
© 2014 Cisco and/or its affiliates. All rights reserved. BRKCRT-2211 Cisco Public
Policy Objects
• Network Group (IPv4/IPv6)
• Service Group
• Identity Object
• URL Object
• Browser Agent Object
• Application Objects
• Secure Mobility Objects
• Application Service
• File Filtering
• Web Reputation
• Used in Policy Configuration
– Reusable
– One-Way Discoverable from ASA
– Supports REGEX
• Various types depending on policy need
18
© 2014 Cisco and/or its affiliates. All rights reserved. BRKCRT-2211 Cisco Public
Global Policy Definition
19
© 2014 Cisco and/or its affiliates. All rights reserved. BRKCRT-2211 Cisco Public
Global Policy Definition
20
© 2014 Cisco and/or its affiliates. All rights reserved. BRKCRT-2211 Cisco Public
Access Policy Creation
21
© 2014 Cisco and/or its affiliates. All rights reserved. BRKCRT-2211 Cisco Public
Troubleshooting
• PRSM Dashboard
– Statistical reporting
• Event Viewer
– Customizable Syslog viewer
• Packet Capture
– Capture raw data for off box analysis
• CLI
– Application
– Interface
– Identity
22
Web Security Appliance
© 2014 Cisco and/or its affiliates. All rights reserved. BRKCRT-2211 Cisco Public
Web Security Appliance
• Monitors \ mitigates any abnormal web activity between users and the Internet.
• Enterprise-class Proxy
– Explicit
– Transparent
• Functions
– Enforce Acceptable Use
– Content inspection
– Block malware, spyware and other threats
• HTTP, HTTPS and FTP over HTTP
• Appliance or Virtual Machine
24
© 2014 Cisco and/or its affiliates. All rights reserved. BRKCRT-2211 Cisco Public
Web Security Appliance Overview
WWW
Time of
Request
Time of
Response
Cisco® SIO
URL Filtering
Reputation Filter
Dynamic Content Analysis (DCA)
Signature-based Anti-Malware Engines
Advanced Malware Protection
Block
WWW
Block
WWW
Block
WWW
Allow
WWW Warn
WWW WWW Partial
Block
Block
WWW
Block
WWW
Block
WWW
25
© 2014 Cisco and/or its affiliates. All rights reserved. BRKCRT-2211 Cisco Public
WSA License Options
• Subscription Based Licensing
• License: Cisco Web Security Essentials
– Threat Intelligence, Layer 4 Traffic Monitoring, AVC Policy management, Actionable reporting, URL filtering, Third-party DLP integration via ICAP
• License: Cisco Web Security Premium
– Essentials plus Real Time Malware Scanning
• Cisco Anti-Malware License
• Sophos, Webroot or McAfee real-time malware scanning available as a single, a la carte license.
26
© 2014 Cisco and/or its affiliates. All rights reserved. BRKCRT-2211 Cisco Public
WSA Policy Types
• Access, Identity, Decryption
• Software as a Service (Google Apps, SalesForce, WebEx)
• Routing (traffic redirection, modification)
• Bandwidth
• Data Security (On-box and external)
• Malware Scanning
• SOCKS
• Policy Results
– Allow, Warn, Block, Redirect, Monitor
– First match (top-down order)
27
© 2014 Cisco and/or its affiliates. All rights reserved. BRKCRT-2211 Cisco Public
Global Policy Configuration
28
© 2014 Cisco and/or its affiliates. All rights reserved. BRKCRT-2211 Cisco Public
Global Policy Configuration
29
© 2014 Cisco and/or its affiliates. All rights reserved. BRKCRT-2211 Cisco Public
Application Policy Configuration
Controlling
behaviors within
known applications.
30
© 2014 Cisco and/or its affiliates. All rights reserved. BRKCRT-2211 Cisco Public
Decryption Policy Configuration
Decryption can be done via URL Category, Reputation or other
classification methods.
31
© 2014 Cisco and/or its affiliates. All rights reserved. BRKCRT-2211 Cisco Public
Policy Trace Tool - Troubleshooting
The WSA will
walk the user
/attributes
through the
policy tree.
32
© 2014 Cisco and/or its affiliates. All rights reserved. BRKCRT-2211 Cisco Public
Integrating WSA into the Network
• Explicit
– Web Proxy Auto Discovery Protocol (WPAD)
– Proxy Auto Configuration (PAC)
– Manually Defined
• Transparent
– Web Cache Control Protocol (WCCP) v2
– Policy Based Routing
– Layer 4 or 7 switch
• WSA relies on HTTP to capture client identity
– Explicit: HTTP407: Proxy Auth Request
– Transparent: HTTP307 Temporary Redirect followed by HTTP401 Auth Required
33
© 2014 Cisco and/or its affiliates. All rights reserved. BRKCRT-2211 Cisco Public
WSA Realms and Realm Sequences
• An authentication realm is a set of one or more authentication servers supporting a single authentication protocol.
• Only one NTLM realm can be configured (Basic/NTLMSSP).
• More than one LDAP realm can be configured (v2/v3/Secure).
• A realm sequence is an ordered sequence of realms.
• Cisco Context Directory Agent
– Standalone Virtual Machine
– Transparent with Active Directory
– Monitors Active Directory for logged in users and maps IP Address to Name
• Ability to define access controls for users who fail authentication.
34
© 2014 Cisco and/or its affiliates. All rights reserved. BRKCRT-2211 Cisco Public
Bandwidth Control
• The Cisco Application Visibility and Control engine allows administrators to control the amount of bandwidth used for particular application types.
• You can limit the bandwidth usage for media applications
– Cache or real-time
• Two limit types:
– Overall bandwidth limit
– User bandwidth limit
• The most restrictive option applies.
35
© 2014 Cisco and/or its affiliates. All rights reserved. BRKCRT-2211 Cisco Public
Web Reputation (WBRS)* Filtering
• Assigns a web-based reputation score to an URL for determining the likelihood that it contains URL-based malware.
– Information provided by the Cisco SIO
• Can be used with Access, Decryption, and Data Security Policies.
• Web Reputation Scores are associated with an action to take on a URL request.
• Available actions depend on the policy group type that is assigned to the URL
* Consists of: URL categorization data, presence of downloadable code, Presence of long, obfuscated EULAs, Global volume and changes in volume, URL categorization, Network owner information, URL History, URL Age, Presence on any allow/block lists, URL typos, Domain registrar information, IP address information.
36
© 2014 Cisco and/or its affiliates. All rights reserved. BRKCRT-2211 Cisco Public
Data Security Overview
• Control of sensitive data leaving the network (HTTP, HTTPS, FTP)
• Configured on the Cisco WSA using data security filters and policies
• Policy actions based on file metadata
– File type, size, and name
– WBRS
– URL category
• Applies to all POST and PUT requests over 4 KB
• Evaluated before access policies
• Alternatively achieved by integration with third-party DLP systems
37
© 2014 Cisco and/or its affiliates. All rights reserved. BRKCRT-2211 Cisco Public
External Data Loss Prevention
• Supported integration with:
– Vontu DLP
– RSA Tablus DLP
• Uses ICAP
– Standard for integrating off-box scanning with web proxies
– ICAP client: Cisco Web Security Appliance
– ICAP server: Vontu / RSA Tablus
• ICAP server provides reporting, logging, and quarantine feature
• Multiple DLP servers supported for load balancing and failover
38
Cisco Cloud Web Security
© 2014 Cisco and/or its affiliates. All rights reserved. BRKCRT-2211 Cisco Public
Cisco Cloud Web Security Overview
• CWS provides real time scanning of HTTP and decrypted HTTPS traffic and malware protection
• Data centers geographically spread across the globe
• Identity aware
• CWS can be integrated with:
– Cisco ASA
– Cisco ISR G2
– Cisco WSA
– AnyConnect Secure Mobility Client.
• On-Premises and/or Off-Premises protection
SAN FRANCISCO
HONG KONG
TOKYO
CHICAGO
DALLAS
LONDON FRANKFURT
MIAMI
NEW YORK
SYDNEY
COPENHAGEN
SINGAPORE
SAO PAULO
TORONTO VANCOUVER
ZURICH
BANGALORE
JOHANNESBURG
PARIS
40
© 2014 Cisco and/or its affiliates. All rights reserved. BRKCRT-2211 Cisco Public
Cisco Web Security Provides Strong Protection
WW
W
Cisco® SIO
URL Filtering
Reputation Filter
Dynamic Content Analysis (DCA)
Signature-based Anti-Malware Engines
Real-time Sandbox Analysis
Block
WWW
Block
WWW
Block
WWW
Block
WWW
Allow
WW
W
Warn
WW
W WW
W
Partial
Block
Block
WW
W
cws
41
© 2014 Cisco and/or its affiliates. All rights reserved. BRKCRT-2211 Cisco Public
Cisco ScanCenter Management Overview
• Access the ScanCenter at https://scancenter.scansafe.com.
• The ScanCenter is the Cisco Cloud Web Security administration portal.
• Manage users and groups, set policy, monitor traffic, and generate reports.
• Policy-rule actions include block, allow, warn, authenticate and anonymize
• .
© 2014 Cisco and/or its affiliates. All rights reserved. BRKCRT-2211 Cisco Public
Policy Configuration
43
© 2014 Cisco and/or its affiliates. All rights reserved. BRKCRT-2211 Cisco Public
Policy Configuration
44
© 2014 Cisco and/or its affiliates. All rights reserved. BRKCRT-2211 Cisco Public
Cisco ASA Cloud Web Security Overview
• Supported in IPv4 routed mode (single or multi-context), but not supported in transparent mode or with clustering
• Can have one primary and one backup Cisco CWS proxy server
• Traffic can be locally whitelisted to bypass inspection
– Applications update, VPN, trusted locations
• Understands user and group information. Compatible with Cisco CDA
• Configured via CLI or GUI
• Keepalives – TCP 3-way handshake every 15 minutes
– Automatic revert back to primary
ASA Connector – 9.0 or later
ASA
45
© 2014 Cisco and/or its affiliates. All rights reserved. BRKCRT-2211 Cisco Public
Scanning & Zero Day Intelligence
• Content is first broken down into types, like PDF, EXE, GIF, Java, scripts, etc.
– 3rd party antivirus signature analysis. Analyzed for already known threats.
• Traffic that comes clean from this scan is delivered to Outbreak Intelligence. Content is again broken into types for further scanning
– Deep Content Analysis: Content is analyzed for suspicious anomalies, like executable code in image file, animated GIF file with only one frame etc.
– Structural Content Investigation: Content is controlled structurally for potentially harmful, hidden behavior.
– Virtualized Script Emulation: Very important part because it runs suspicious scripts in virtualized cloud infrastructure to check for hidden malicious behavior.
• After this scan, traffic content is determined to be safe or not.
• CWS will block part or all of the unsafe data
PDF Flasht Java Exe
46
© 2014 Cisco and/or its affiliates. All rights reserved. BRKCRT-2211 Cisco Public
Cloud Web Security Traffic Redirection Overview
• Two methods to redirect user HTTP and HTTPS traffic
– Connector approach leveraging a Cisco device (ASA/ISRG2/WSA/AnyConnect)
– Direct to cloud approach (explicit proxy)
• Redirected traffic is encrypted – requires 3DES/AES license
• CWS Account Verification (generated from ScanCenter)
– Company Authentication Key – 16 byte hex number used on all devices
– Group Authentication Key – unique on each Cisco device
• Key allows CWS to associate traffic to customer/policy
• Account verification can be done at http://whoami.scansafe.net
– Company name, Connector version, external IP and so on are displayed if traffic is being redirected to the CWS proxy service
47
© 2014 Cisco and/or its affiliates. All rights reserved. BRKCRT-2211 Cisco Public
AnyConnect Web Security Module Overview
• Route HTTP and HTTPS traffic to Cisco Web Cloud for evaluation
– Widows only
• The AnyConnect Web Security module can be installed in two ways:
– ASA via an established SSLVPN connection
– Manual or Automatic Distribution
• Configuration is done via AnyConnect Profile Editor
– Standalone on Windows
– Web Security module on ASA
• XML Config file with .wso extension
– WebSecurity_ServiceProfile.wso is installed in the Profiles\websecurity folder
– Installed locally or from the CWS cloud
48
Cisco Email Security Appliance
© 2014 Cisco and/or its affiliates. All rights reserved. BRKCRT-2211 Cisco Public
Email Security Appliance Overview
• Secures the network edge by embedding multiple roles in a single system.
• Security services include: Reputation Filters, Message Filters, Anti-spam, Antivirus, Content Filters, Outbreak Filters, and DLP.
• Physical/Virtual, Cloud and Hybrid Solutions
– Cloud for Inbound, Local for Outbound
• Advanced cloud based email encryption key service through Cisco Registered Envelope Service (CRES)
• Active Directory / LDAP Integration
• Threat Database updated every 3-5 minutes
• Policy Trace and Message Tracking
50
© 2014 Cisco and/or its affiliates. All rights reserved. BRKCRT-2211 Cisco Public
Email Security Appliance Flow
Cisco® SIO
SenderBase Reputation Filtering
Anti-Spam & Spoofing Prevention
AV Scanning & AMP
Real-time URL Analysis
Deliver Quarantine Re-write URLs Drop
Drop
Drop/Quarantine
Drop/Quarantine
Quarantine/Re-write
51
© 2014 Cisco and/or its affiliates. All rights reserved. BRKCRT-2211 Cisco Public
Email Security Appliance Flow Summarized
Queue Up for Worker Threads
To Perform Slower Tasks
LDAP Lookups
Filter and Scan Messages
Enqueue for Delivery
Process Mail
(Work Queue)
Accept Mail
(SMTP server)
Listen for SMTP Connections
Receive Mail
Enforce SMTP Policies
LDAP Lookups
En-queue / Message
Release Inbound Connection,
MTA Responsible for Message
Connect to Destination
MX Host
Enforce Delivery Policies
Deliver Message
Release Connection
and Message
Possibly Bounce
Deliver Mail
(SMTP client)
Accept Mail Deliver Mail
SMTP Receive
Process Mail
SMTP Delivery
52
© 2014 Cisco and/or its affiliates. All rights reserved. BRKCRT-2211 Cisco Public
ESA General Setup
• ESA factory defaults – recommended to change both
– IP Address 192.168.42.42
– Username admin, password ironport
• Single or Dual Interface configuration to process mail traffic
– Single Listener or dual Listeners
– Public (MX/SMTP) and/or Private (IMAP/MAPI/POP)
• Listener components – Controlling Email
– HAT: Defines which remote hosts are allowed to connect and sets constraints for the incoming connections from the remote hosts
– RAT: Specifies local domains for which the ESA will accept incoming email for
• HAT and RAT control inbound email. HAT also controls outbound mail
Email Security Appliance
Internet
Users
53
© 2014 Cisco and/or its affiliates. All rights reserved. BRKCRT-2211 Cisco Public
Single Listener Deployment Mail Server
MTA Relay
ESA
LDAP
Server
DMZ
Internal
Network
M Series
Management IPS
ASA
Firewall
Public IP
xxx.xxx.xxx.xxx
NAT
Single physical interface w/one
IP address. Single listener handles
Incoming and Outgoing mail
54
© 2014 Cisco and/or its affiliates. All rights reserved. BRKCRT-2211 Cisco Public
Dual Listener Deployment Mail Server
Data 2
RFC1918
LDAP
Server
DMZ
Internal
Network
M Series
Management IPS
ASA
Firewall
Public IP
xxx.xxx.xxx.xxx
NAT
Interface for sending and
Receiving mail from the Internet
Interface for receiving and
Sending mail from the Intranet
Data 2
RFC1918
55
© 2014 Cisco and/or its affiliates. All rights reserved. BRKCRT-2211 Cisco Public
Incoming / Outgoing Mail – Host Access Table
• The HAT controls mail policy for the SMTP server/client.
– Permit mail from all external sources
– Allow only designated internal sources
Single HAT Example
56
© 2014 Cisco and/or its affiliates. All rights reserved. BRKCRT-2211 Cisco Public
Incoming Mail – Recipient Access Table
• Controls whether the ESA will accept mail for a given recipient/domain.
– Analyzes the Recipient To: field in the SMTP transaction
57
© 2014 Cisco and/or its affiliates. All rights reserved. BRKCRT-2211 Cisco Public
Mail Policies
• Rules for managing email flow within the organization.
– Matches mail with ESA analysis tools
• Separate Incoming and Outgoing policies
Cisco
Anti-Spam
Where
58
© 2014 Cisco and/or its affiliates. All rights reserved. BRKCRT-2211 Cisco Public
Anti-Spam Overview
• Processed after reputation filters – Cisco Senderbase
• Content Adaptive Scanning Engine (CASE)
• CASE combines who, how, what, where, to derive a score 1-100
– Positive Spam: score > 90
– Suspect Spam: 50 < score ≤ 89
• Identified Spam can be delivered, dropped, quarantined, or bounced
• Quarantine can be stored locally, centrally or be disabled
• Users can verify, create Safelists, Blacklists
59
© 2014 Cisco and/or its affiliates. All rights reserved. BRKCRT-2211 Cisco Public
Reporting
• Reporting is done in a drill-down fashion.
– Inbound and outbound emails
– Policy and threat blocked emails
– Content, spam virus, invalid recipients, etc.
• Reports can be:
– Run for specific time ranges
– Scheduled to be run off hours
– Automatic delivery to recipients
60
Cisco Intrusion Prevention Systems
© 2014 Cisco and/or its affiliates. All rights reserved. BRKCRT-2211 Cisco Public
Cisco IPS Overview
• Provides filtering of known network worms and viruses, DoS traffic, and directed hacking attacks.
– Over 5500 Signatures
– Anti-evasion technology
– Zero-day protection
• Hardware appliance, hardware module, software module
– Standalone, ASA, NGFW, IOS
• Flexible Deployment Modes
– Inline with Blocking and Reporting capability
– Promiscuous with Reset, Monitoring and Reporting capability
• Support for up to 4 virtual sensors per IPS
62
© 2014 Cisco and/or its affiliates. All rights reserved. BRKCRT-2211 Cisco Public
Cisco IPS Overview
Forensics
Capture
Before Attack
During Attack
After Attack
Inspection
Engines Vulnerability
Exploit
Behavioral Anomaly
Protocol Anomaly
Risk-based
Policy Control
Calibrated “Risk Rating”
computed for each event
Event Action policy based
on risk categories (e.g.
High / Med / Low)
Filters for known benign
triggers
Optional Network
Participation
Attack
De-obfuscation Normalize inbound
traffic to remove
attempts to hide an
attack
On-box
Correlation
Engine
Meta Event Generator
for event correlation
Mitigation and
Alarm “Threat Rating” of event
indicates level of residual
risk
Virtual Sensor
Selection Traffic directed to
appropriate sensor
IN OUT
Reputation
Filtering Known-bad hosts are
dropped
Atomic Inspection Single-packet (Atomic)
attacks detected
Signature
Updates
Engine
Updates Cisco Security
Intelligence Operations
Global
Correlation
63
© 2014 Cisco and/or its affiliates. All rights reserved. BRKCRT-2211 Cisco Public
IPS Management Options
• IPS Device Manager (MDM)
– Configure, administer, and monitor individual IPS sensors
• IPS Manager Express (IME)
– System health, events, and collaboration monitoring in addition to reporting and configuration for up to ten sensors.
• Adaptive Security Device Manager (ASDM)
– Tabbed interface similar to IDM. Single application to manage Firewall and IPS
• Cisco Security Manager (CSM)
– Comprehensive management solution that enables advanced management and rapid troubleshooting of multiple security devices. Enables operational efficiency
• Command Line (CLI)
64
© 2014 Cisco and/or its affiliates. All rights reserved. BRKCRT-2211 Cisco Public
IPS Sensor Deployment Modes
• Promiscuous mode – Single Interface
– Sensor receives a copy of network traffic for analysis
– No production traffic impact for performance or failure
– Limited threat containment (TCP Reset, Shunning)
• Inline interface pair – Dual Interface
– Bump in the wire
– Impact for performance and possibly failure
– Superior threat containment
• Inline VLAN pair – Single interface, dual VLAN on single switch
• Inline VLAN group – Single interface, multi-VLAN on dual switches
• Similar to a firewall, avoid asymmetric traffic flows
65
© 2014 Cisco and/or its affiliates. All rights reserved. BRKCRT-2211 Cisco Public
IPS Integration with the Cisco ASA
• Traffic flowing through the ASA can be redirected to the IPS module
• Selective traffic monitoring
– Controlled via an Access Control List
– Traffic can also selected via user identity options (username/Active Directory group)
• Inline or Promiscuous
• Fail-open or Fail-close capability
66
© 2014 Cisco and/or its affiliates. All rights reserved. BRKCRT-2211 Cisco Public
IPS Signatures
• Three Signature types supported
– Default – Built into and downloaded to the sensor
– Tuned - Built-in that have been modified
– Custom – Locally created signatures
• Signature Engines
– A signature engine is a traffic inspection function that analyzes a particular aspect (protocol, traffic pattern, and so on) of network traffic.
– Each Cisco IPS signature is controlled by a particular signature engine.
– Signature engines process traffic in parallel.
• Custom Signatures
– Signature numbers 60,000 and higher
67
© 2014 Cisco and/or its affiliates. All rights reserved. BRKCRT-2211 Cisco Public
Threat Prevention Profiles
• Simplify the signature tuning effort with preset groups of signatures designed for specific network locations.
• Use Case Profiles
– SCADA – Industrial Control Systems
– Edge - client protection for the Internet edge
– Web Applications – server farm environments
– Data Center – overall protections for the data center
• Implemented in 7.3(1) code
• Available on the 43xx and 45xx IPS appliances
68
© 2014 Cisco and/or its affiliates. All rights reserved. BRKCRT-2211 Cisco Public
Cisco Signatures Configuration
69
© 2014 Cisco and/or its affiliates. All rights reserved. BRKCRT-2211 Cisco Public
Risk Rating (RR)
• Quantitative measure of your network's threat level before IPS mitigation.
• A value between 0 and 100 that represents a numerical quantification of the risk associated with a particular event on the network
– Range 90 to 100 - add the Deny Packet action to the Default Signature action(s)
– Value less than 90 just apply the Default Signature action(s)
• Add event actions globally without having to modify each signature individually
• Reputation data is also factored in RR calculation
RR = ASR * TVR * SFR
10,000 + ARR – PD
RR = ASR * TVR * SFR
10,000 + ARR – PD
70
© 2014 Cisco and/or its affiliates. All rights reserved. BRKCRT-2211 Cisco Public
Understanding Threat and Risk Rating Component IPS Variable Source Values
Potential damage Attack Severity
Rating (ASR)
Preconfigured in a
signature, tunable
Informational (25)
Low (50), Medium
(75), High (100)
Target asset value Target Value Rating
(TVR)
Manually configured Zero (50), Low (75)
Medium (100), High
(150), Mission
Critical (200)
Signature accuracy Signature Fidelity
Rating (SFR)
Preconfigured in a
signature, tunable
0–100
Promiscuous
Delta (PD)
Preconfigured in a
signature, tunable
0–30
Attack relevancy Attack Relevancy
Rating (ARR)
Collected or
manually configured
Relevant (10)
Unknown (0)
Not Relevant (–10)
71
© 2014 Cisco and/or its affiliates. All rights reserved. BRKCRT-2211 Cisco Public
Custom IPS Signatures
• Help to address specific threats in your environment
• Create signature ID and Name
• Identify the IPS Engine - Protocol
• Match Conditions
– Header content
– Payload characteristics
• Identify thresholds and counters
• Correlation
• Simplified with the Custom Signature Wizard
© 2014 Cisco and/or its affiliates. All rights reserved. BRKCRT-2211 Cisco Public
Custom IPS Signatures
© 2014 Cisco and/or its affiliates. All rights reserved. BRKCRT-2211 Cisco Public
Anomaly Detection
• Learns network traffic patterns and identifies behavior deviations
• Finds worms as they attempt to spread
• Identifies worm-infected hosts by their behavior as scanners
• Provides zero-day detection
• Analyzes TCP, UDP and ICMP traffic
• Does not detect email, instant messaging, or file sharing-based worms
• Customizable zones for improved efficacy
– Internal, External, Illegal
• Actions – specific signatures created for anomaly detection
74
© 2014 Cisco and/or its affiliates. All rights reserved. BRKCRT-2211 Cisco Public
Global Correlation & Reputation Services
• Reputation filters
– First line of defense
– List of IP addresses downloaded from Cisco SensorBase for blocking
• Global correlation
– Adjustment of the event risk rating
– Based on the reputation score
• Participating IPS devices
– Send data to the global correlation database.
– Receive threat updates
© 2014 Cisco and/or its affiliates. All rights reserved. BRKCRT-2211 Cisco Public
Reputation and Correlation Flow
• Reputation Filters block access to IP’s on stolen ‘zombie’ networks or networks controlled entirely by malicious organizations
• Global Correlation raises the Risk Rating of events when the attacker has a negative reputation allowing those events to be blocked more confidently
76
Summary
© 2014 Cisco and/or its affiliates. All rights reserved. BRKCRT-2211 Cisco Public
Implementing Cisco Threat Control Solutions
• The attack surface is wide and long
– Email Threats, Web Threats, Network Threats, Mobile Threats
• Security is receiving more attention than ever before
• Cisco Security Solutions help to secure networks and reduce risk
• Security Engineers are in high demand
• Other Cisco security solutions, such as the Cisco Identity Services Engine, work hand-in-hand with the Cisco Threat Protection product sets
• Security requires an architectural, integrated approach
78
© 2014 Cisco and/or its affiliates. All rights reserved. BRKCRT-2211 Cisco Public
Participate in the “My Favorite Speaker” Contest
• Promote your favorite speaker through Twitter and you could win $200 of Cisco Press products (@CiscoPress)
• Send a tweet and include
– Your favorite speaker’s Twitter handle <@SamCamarda>
– Two hashtags: #CLUS #MyFavoriteSpeaker
• You can submit an entry for more than one of your “favorite” speakers
• Don’t forget to follow @CiscoLive and @CiscoPress
• View the official rules at http://bit.ly/CLUSwin
Promote Your Favorite Speaker and You Could be a Winner
79
© 2014 Cisco and/or its affiliates. All rights reserved. BRKCRT-2211 Cisco Public
Complete Your Online Session Evaluation
• Give us your feedback and you could win fabulous prizes. Winners announced daily.
• Complete your session evaluation through the Cisco Live mobile app or visit one of the interactive kiosks located throughout the convention center.
Don’t forget: Cisco Live sessions will be available for viewing on-demand after the event at CiscoLive.com/Online
80
© 2014 Cisco and/or its affiliates. All rights reserved. BRKCRT-2211 Cisco Public
Continue Your Education
• Demos in the Cisco Campus
• Walk-in Self-Paced Labs
• Table Topics
• Meet the Engineer 1:1 meetings
• CCNP Study Group
– https://learningnetwork.cisco.com/groups/ccnp-security-study-group
81